Onboarding to Microsoft Defender for Endpoint
Start course

This course explores Microsoft Defender for Endpoint and how to implement it. We’ll start off with a quick overview of the three deployment phases that you’ll need to complete in order to implement Defender for Endpoint. We’ll then run through each of the individual deployment phases in a bit more detail.

Learning Objectives

By the time you finish this course, you should have a good understanding of what steps you need to take to implement Microsoft Defender for Endpoint.

Intended Audience

This course is intended for anyone who wishes to learn about the steps involved in implementing Microsoft Defender for Endpoint.


To get the most out of this course, you should have a fundamental understanding of basic endpoint protection concepts.


Welcome back. The last step in the implementation of Microsoft Defender for Endpoint is the onboarding of devices to the service. During this last step, you onboard endpoints to the service and then you configure capabilities.

Before onboarding your devices, you need to first decide which deployment method you need to use.

Defender for Endpoint offers the most deployment options for those who need to onboard Windows endpoints. For example, if you are onboarding 10 or fewer Windows devices to the service, you can use a local script. Other onboarding options include Group Policy, which is a pretty common approach, and Microsoft Endpoint Manager or Mobile Device Manager. You can also use Microsoft Endpoint Configuration Manager to onboard Windows devices, VDI scripts, or even rely on integration with Azure Defender.

If you have macOS endpoints to onboard, you can use local scripts, Microsoft Endpoint Manager, JAMF Pro, or Mobile Device Management.

Linux Servers can be onboarded using local scripts, Puppet, or Ansible.

iOS devices are onboarded through the app store, while Android devices can be onboarded via Microsoft Endpoint Manager.

Now, once your endpoints have been onboarded, you need to configure capabilities like endpoint detection and response, next-generation protection, and attack surface reduction.

I should mention that when you deploy Defender for Endpoint, you typically do it in “rings”. These rings are known as “deployment rings”. There are usually 3 different deployment rings that you have to work through. They include the Evaluation ring, the Pilot ring, and then Full Deployment ring.

You deploy in rings to ensure things are working as they should, before rolling out to all devices.

When deploying in the evaluation ring, you typically identify a few dozen systems or devices that you onboard as a small pilot. If everything goes well, you progress to the next ring, which is the Pilot ring. The Pilot ring usually consists of 50-100 production endpoints. If all goes well in the Pilot ring, you progress to the Full deployment, where you onboard the rest of your production endpoints.

By onboarding via deployment rings, you can limit any negative effects of a deployment gone wrong.

Microsoft offers some pretty good documentation on a few different onboarding scenarios. To read about onboarding using Microsoft Endpoint Configuration Manager, visit the URL that you see on your screen.

About the Author
Learning Paths

Tom is a 25+ year veteran of the IT industry, having worked in environments as large as 40k seats and as small as 50 seats. Throughout the course of a long an interesting career, he has built an in-depth skillset that spans numerous IT disciplines. Tom has designed and architected small, large, and global IT solutions.

In addition to the Cloud Platform and Infrastructure MCSE certification, Tom also carries several other Microsoft certifications. His ability to see things from a strategic perspective allows Tom to architect solutions that closely align with business needs.

In his spare time, Tom enjoys camping, fishing, and playing poker.